Enhancing Security in the Software Supply Chain

Mike Emery
|
Senior Security Consultant at URM
|
PUBLISHED on
24 Oct
2024

Supply chain attacks have been thrust into the limelight recently.  This often overlooked type of vulnerability will suddenly be forefront of many people’s minds.  Whilst we don’t all face threats from nation state adversaries, supply chain vulnerabilities can affect all organisations.

A lot of people would assume that this is limited to hardware supply chains, however software also has complex, sometimes nested, supply chains, which can be next to impossible to fully document.

Challenges and Risks in Software Supply Chains

With hardware, understanding how supply chain vulnerabilities occur is quite obvious. When components are sourced from different manufacturers, each of those suppliers represents an opportunity for a supply chain weakness to be exploited.

In software (including web applications), whilst less tangible, the exact same thing happens.  Much like hardware is assembled from off-the-shelf components, software is built using pre-made libraries, which save developers time and, in theory, provide them with well tested, trusted code.  These libraries, also called dependencies, can make up the majority of the code present a in solution, and the libraries in use can in turn have their own dependencies.  This leads to a complex structure of interconnected code sources from a wide variety of sources.

https://xkcd.com/2347

The above XKCD comic does a good job of summarising this and highlights that often critical software depends on libraries created by hobbyist groups or individuals.  If a hardware component you sourced was manufactured by someone in their shed, how much would you trust it?  Large corporations place huge amounts of trust in open source libraries, often blindly.

Whilst that may sound like a slight on open source developers, open source libraries are the best case scenario. The code can be audited, and, by necessity, all of the dependencies must be listed.  Now imagine a closed source piece of software, where no source code is present.  As the customer, you have no idea how many libraries are in use, or where they have come from.  How can you trust the software to be free from supply chain weaknesses?

Of course, supply chain vulnerabilities in code don’t have to be malicious additions by attackers.  They can simply be exploitable bugs in the code.  What makes them pernicious is the difficulty of patching them when they form part of a larger application. For closed source or proprietary applications, you have to trust that your supplier is updating the libraries they’re using from all of their suppliers. Once this is apparent, it becomes easy to understand why vulnerabilities like heartbleed and log4j were such big news.  Simply patching your operating system can’t fix the vulnerability, and each and every vendor has to repackage their application having updated the vulnerable component.

Mitigating the Risks and Overcoming the Challenges

So, with the problem being as it is, what can you do?  There are a number of things to consider:

  • Carefully evaluate the need for third-party libraries/dependencies; the fewer present, the less to manage.
  • Consider the trustworthiness of third parties; do you need to perform any internal validation of their security?
  • Fully document all dependencies and their versions.  This will allow you to understand your attack surface and when a vulnerability affects you.
  • Ask these questions of any commercial suppliers of software; you can perform third-party risk assessments to evaluate this.
  • Once the software is deployed, perform regular security assessments to highlight any vulnerabilities present or missing security patches.  It is common for vulnerabilities to be identified in commercial software through their dependencies, with our direct customers having to liaise with their supplier in order to have the vulnerability addressed.  Without this testing, the vulnerability would have remained!

Hopefully this article has given you some insight into the software supply chain and how care needs to be taken when building or acquiring solutions to help minimise the risk of a supply chain vulnerability.

SPECIAL OFFER
Secure Your Organisation With URM’s CREST-Accredited Penetration Testing
Take the First Step Today!
Contact us before
31/12/2024
SPECIAL OFFER

SPECIAL OFFER
Secure Your Organisation With URM’s CREST-Accredited Penetration Testing
Take the First Step Today!
Contact us before
31/12/2024
SPECIAL OFFER

SPECIAL OFFER
Secure Your Organisation With URM’s CREST-Accredited Penetration Testing
Take the First Step Today!
Contact us before
31/12/2024
SPECIAL OFFER

How URM can Help

Software suppliers and the digital supply chain can pose significant risks to your organisation’s security, and, as such, effective cyber security risk management is an essential element of any engagement with a software supplier.  Leveraging nearly 2 decades of experience providing risk management consultancy, URM can assist your organisation through each stage of its supply chain risk management plan.   As you look to select and procure new suppliers, URM’s supplier information security risk management software, Abriska 27306, streamlines and automates the process of conducting supplier due diligence.  Abriska reduces the administrative burden associated with managing a diverse range of suppliers and the possibility for human error, as well as improving the effectiveness and efficiency of your supplier security due diligence.   Meanwhile, a CREST-accredited organisation, URM can also offer effective and trustworthy penetration testing services, where we will identify any vulnerabilities affecting your IT estate and ensure the third-party software your organisation relies on for its continued operation and success is secure.

Mike Emery
Senior Security Consultant at URM
Mike is an offensive security consultant with URM with over a decade of experience delivering both technically and business driven engagements.
Read more

Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on penetration testing for any UK-based organisation.
Thumbnail of the Blog Illustration
Cyber Security
Published on
6/3/2024
What Do You Do After a Security Incident?

URM’s blog discusses the testing, assessments, exercises and reviews you can conduct following a cyber security incident to strengthen your security posture.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
22/8/2024
Pitfalls to Avoid in your Penetration Testing Programme

URM’s blog explores common pen testing mistakes & how to avoid them, and simple improvements you can immediately implement to enhance your security posture.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
27/6/2024
Getting the Most from Your Pen Tests - During and Afterwards

URM’s blog outlines the key steps you can take during and after a penetration test to improve your organisation’s security posture.

Read more
Thank you for an excellent webinar!
Webinar 'Maximising the Benefits from your Penetration Tests'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.